[New Integration] Sublime Security

[jamiehynds]

Description

Sublime is a programmable cloud email security platform for Microsoft 365 and Google Workspace environments. This integration ingests alerts, audit events and raw emails to enable cross-log correlation and sophisticated DFIR workflows.

Architecture

Sublime exposes alerts (flagged message events) and audit events via API, and they also encourage users to forward flagged message events to SIEM/SOAR via webhooks:

A webhook Action sends a notification to a URL of your choosing when one or more Rules with the Action flag an email message. The HTTP notification includes information about the message, the mailbox, the flagged Rules, and any triggered Actions, so you can set up an unlimited variety of integrations in response to flagged message events.

Raw email messages can be sent over S3 (Cloud and CloudFormation deployments only. Sublime Enterprise users on Docker deployments can request assistance with exports to S3 in the Sublime support Slack channel.)

[terrancedejesus]

@jamiehynds would love to help review this data when development begins as Sublime has very nice contextual insight into email security.

[piyush-elastic]

@jamiehynds - We did analysis and planning to support both Alerts (flagged message events) and Audit Event using different input types mentioned below -

1. AWS S3
   • Alert
   • Audit event
     2. WebHook
        • Alert
     3. API
        • Alert
        • Audit event

[jamiehynds]

@piyush-elastic I think the API and S3 inputs are enough, no need to include webhook support.

Sublime also supports the ability to ingest raw emails via S3, which may be interesting to run some analytics on. Could you and @cpascale43 work with Sublime on the shared Slack channel to see if it's possible to ingest that data from S3 too?

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)